In February 2016, the AREA performed a preliminary analysis of the field of enterprise AR security. We learned that there was virtually nothing available about the topic on the Web, low understanding among customers and suppliers, and only a few firms, such as AREA member Augmate, were exploring how to identify and address issues.
As has recently been demonstrated by the global “ransomware” attack and the Distributed Denial of Service attack caused by security breaches on webcams and IoT devices in October 2016, governments, businesses and consumers reliant on Internet-connected computers are increasingly more vulnerable to risk. In the final days of 2016, analysts and cybersecurity experts predicted that “2017 will be a critical year for security, starting with how it’s built into technology. DevOps and security will change the way they work together as they realize the need to integrate with each other in order to survive.”
Unfortunately, very little attention has been focused on enterprise AR security risks since the exploratory project in early 2016 but it’s my conviction that no one in the AR ecosystem can afford to continue ignoring or denying the security issues. Many AREA members agree that there is potentially a problem.
In April, the AREA kicked off its Research Committee’s first project with Brainwaive LLC. Brainwaive’s team of cybersecurity experts has been digging into topics pertaining to data security risks when introducing new, wearable Augmented Reality devices in the enterprise. I’m managing this project on behalf of the AREA’s members.
The project team is preparing reports to help AREA members understand the issues and prepare for the mitigation of risks. These reports are based on experience in security mitigation frameworks and tactics in IoT and other fields, interviews with different AR ecosystem stakeholders, and online research, as well as hands-on testing of wearable AR devices. The hands-on testing exposed many interesting risks as well as opportunities. The value these reports contain can’t be conveyed in a few posts on a blog. The reports will deliver practical approaches to those who will study them carefully.
What I can share that concerns me greatly as I have listened to interviews Brainwaive has recently conducted is the apparent desire by many of the stakeholders involved in wearable AR device development (and the greater AR experience design and development value chain) to pass the buck on security. There’s a widespread assumption that wearable AR devices will be managed similarly to or in the same fashion as other mobile devices. The weakness in this thinking is that, unlike wearable AR displays currently being furnished for developer use, mobile devices deployed for enterprise use are security-hardened.
Sooner or later, the prevalent “it’s not my problem” mindset must change if we expect enterprise IT managers to embrace new devices and support systems enabling the changes that AR promises to deliver. For the mindset to change we need:
- AR customers to put security mitigation as high on their list of requirements as low latency, wide Field of View and ease of use; and
- enterprise AR technology providers to collaborate with security community leaders to design wearable AR displays with security by default, not an add-on.
If you are an AR customer who has already put data security features on your AR requirements list, please use the comments section of this blog post to share with others in our community how you have stated those requirements.
If you are a wearable AR device manufacturer who has included security features by design, please make those features more clear so that the Brainwaive team, among others, can more easily evaluate and include them in the AREA’s upcoming security framework.
Those who wish to preserve their anonymity while contributing to this important project are invited to contact Tony Hodgson, CEO of Brainwaive, directly via e-mail at email@example.com.